# Traefik Forward Auth Yet another minimal modification of a great minimal forward authentication service that provides OAuth/SSO login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer. ## Why? The original [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) provides the forwarding of authentication between an Identity Provider like [keycloak](https://www.keycloak.org/) and the [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware of [traefik](https://doc.traefik.io/traefik/). The modification of this project is to add minimal authorization functionality. The [traefik-forward-auth](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/) is configured with a `REQUIRED_ROLE` and access to the resource is only granted if the access token issued by the Identity Provider contains a claim with that particular role. ## Docker Image The Docker image can be found at [DockerHub wollud1969/traefik-forward-auth](https://hub.docker.com/r/wollud1969/traefik-forward-auth). ## Configuration ### ... of traefik-forward-auth In the `examples` directory the ymls to deploy a whoami service ([at GitHub](https://github.com/traefik/whoami/), [at Docker Hub](https://hub.docker.com/r/containous/whoami)) and the related ymls to deploy and configure the traefik-forward-auth service. The only relevant modification to the original [advanced separate pod example](https://github.com/thomseddon/traefik-forward-auth/tree/master/examples/traefik-v2/kubernetes/advanced-separate-pod) is the configuration parameter `REQUIRED_ROLE`. ### ... of the Identity Provider ![Keycloak Client General Settings](./images/Keycloak-General-Settings.png) ![Keycloak Client Access Settings](./images/Keycloak-Access-Settings.png) ![Keycloak Client Capability Settings](./images/Keycloak-Capability-Config.png) ![KeyCloak Client Roles](./images/Keycloak-Client-Roles.png) ![Keycloak Client Mapper](./images/Keycloak-Client-Mapper.png) ## Copyright 2018 Thom Seddon 2023 Wolfgang Hottgenroth ## License [MIT](https://github.com/thomseddon/traefik-forward-auth/blob/master/LICENSE.md) [MIT](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/-/blob/master/LICENSE.md)